====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN146
_____________________________________________________________________

DATE                : 19/03/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Adobe Acrobat, Adobe Reader
       versions prior to 2020.006.20042, 2017.011.30166, 2015.006.30518.

=====================================================================
https://helpx.adobe.com/security/products/acrobat/apsb20-13.html
_____________________________________________________________________

Security Bulletin for Adobe Acrobat and Reader | APSB20-13
Bulletin ID 	Date Published 	Priority
APSB20-13 	March 17, 2020 	2


Summary

Adobe has released security updates for Adobe Acrobat and Reader for
Windows and macOS. These updates address critical and important
vulnerabilities. Successful exploitation could lead to arbitrary code
execution in the context of the current user.


Affected Versions

Product 	Track 	Affected Versions 	Platform

Acrobat DC  	Continuous 	2020.006.20034 and earlier versions  	Windows &
macOS

Acrobat Reader DC 	Continuous  	2020.006.20034 and earlier versions 
Windows & macOS
  	  	  	
Acrobat 2017 	Classic 2017 	2017.011.30158  and earlier versions 
Windows & macOS

Acrobat Reader 2017 	Classic 2017 	2017.011.30158 and earlier versions
Windows & macOS
  	  	  	
Acrobat 2015  	Classic 2015 	2015.006.30510 and earlier versions
Windows & macOS

Acrobat Reader 2015 	Classic 2015 	2015.006.30510 and earlier versions
Windows & macOS


Solution

Adobe recommends users update their software installations to the latest
versions by following the instructions below.    

The latest product versions are available to end users via one of the
following methods:    

    Users can update their product installations manually by choosing
Help > Check for Updates.     

    The products will update automatically, without requiring user
intervention, when updates are detected.     

    The full Acrobat Reader installer can be downloaded from the Acrobat
Reader Download Center.     

For IT administrators (managed environments):     

    Download the enterprise installers
from ftp://ftp.adobe.com/pub/adobe/, or refer to the specific release
note version for links to
installers.     

    Install updates via your preferred methodology, such as AIP-GPO,
bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and
SSH.    

   
Adobe categorizes these updates with the following priority ratings and
recommends users update their installation to the newest version:    

Product 	Track 	Updated Versions 	Platform 	Priority Rating 	Availability

Acrobat DC 	Continuous 	2020.006.20042 	Windows and macOS 	2
Windows    macOS  

Acrobat Reader DC 	Continuous 	2020.006.20042
Windows and macOS 	2 	Windows    macOS
  	  	  	  	  	
Acrobat 2017 	Classic 2017 	2017.011.30166 	Windows and macOS 	2
Windows     macOS

Acrobat Reader 2017 	Classic 2017 	2017.011.30166 	Windows and macOS
2 	Windows       macOS
  	  	  	  	  	
Acrobat 2015 	Classic 2015 	2015.006.30518 	Windows and macOS 	2
Windows      macOS

Acrobat Reader 2015 	Classic 2015 	2015.006.30518 	Windows and macOS
2 	Windows      macOS


Vulnerability Details

Vulnerability Category 	Vulnerability Impact 	Severity 	CVE Number

Out-of-bounds read   	Information Disclosure   	Important    	
CVE-2020-3804
CVE-2020-3806

Out-of-bounds write	Arbitrary Code Execution      	Critical 	CVE-2020-3795

Stack-based buffer overflow	Arbitrary Code Execution      	Critical
CVE-2020-3799

Use-after-free 	Arbitrary Code Execution  	Critical 	
CVE-2020-3792
CVE-2020-3793
CVE-2020-3801
CVE-2020-3802
CVE-2020-3805

Memory address leak  	Information Disclosure  	Important  
CVE-2020-3800

Buffer overflow   	Arbitrary Code Execution 	Critical
CVE-2020-3807

Memory corruption	Arbitrary Code Execution 	Critical
CVE-2020-3797

Insecure library loading (DLL hijacking)	Privilege Escalation
Important  	CVE-2020-3803


Acknowledgements

Adobe would like to thank the following individuals and organizations
for reporting the relevant issues and for working with Adobe to help
protect our customers:    

    hungtt28 of Viettel Cyber Security working with Trend Micro Zero Day
Initiative (CVE-2020-3802)
    Huw Pigott of Shearwater Solutions, a CyberCX company
(CVE-2020-3803)
    Duy Phan Thanh (bit) of STAR Labs (CVE-2020-3800, CVE-2020-3801)
    Ke Liu of Tencent Security Xuanwu Lab (CVE-2020-3804, CVE-2020-3805)
    STARLabs @PTDuy during the Tianfu Cup competition (CVE-2020-3793)
    T Sung Ta (@Mipu94) of SEFCOM Lab, Arizona State University
(CVE-2020-3792)
    Xinyu Wan, Yiwei Zhang and Wei You from Renmin University of China
(CVE-2020-3806, CVE-2020-3807, CVE-2020-3795, CVE-2020-3797)
    Xu Peng and Su Purui from TCA/SKLCS Institute of Software Chinese
Academy of Sciences and Wang Yanhao from QiAnXin Technology Research
Institute (CVE-2020-3799)



=========================================================
+ CERT-RENATER        | tel : 01-53-94-20-44            +
+ 23/25 Rue Daviel    | fax : 01-53-94-20-41            +
+ 75013 Paris         | email:cert@support.renater.fr   +
=========================================================